on the security of election audits with low entropy randomness · evt/wote 2009 on the security of...

On the Security of Election Audits with

Low Entropy Randomness

Eric Rescorla

[email protected]

EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1

Overview

• Secure auditing requires random sampling

– The units to be audited must be verifiably unpredictable

– Simple physical methods (dice, coins, etc.) are expensive

• “Stretching” approaches

– Randomness tables [CWD06]

– Cryptographic pseudorandom number generators

(CSPRNGs) [CHF08]

• These techniques must be seeded with verifiably random values

• Small (but natural) seeds give the attacker an advantage


Formalizing the Problem: The Auditing Game

Audit units

(U)

Attacked

(K)

Audited

(V)

V∩K = /0: Attacker wins

Audit units

(U)

Attacked

(K)

Audited

(V)

V∩K 6= /0: Attacker loses

• Two players: Attacker and Auditor

• U audit units (U0,U1, ...UN−1)

• Attacker selects K⊂ U to attack (|K|= k)

– Selection is made before preliminary results are posted

• Auditor selects V⊂ U to audit (|V|= v)


Auditing Game Strategy

• If the auditor’s selections are random and i.i.d then:

Pr(detection) = 1−v−1

∏i=0

(N− i− k)N− i

• No matter how the attacker chooses K

• This is the auditor’s optimal strategy

• What about intermediate cases?

– Attacker has incomplete information about V


Example: A Million Random Digits [RAN02]

• Pick a random starting group and read forward

– This process has log2(#entries) bits of entropy


Random Number Tables Bias and Attacker Advantage

• Random number tables aren’t the same as random numbers

– The attacker knows the table

– But not the starting point

• Two effects give the attacker an advantage

– Natural variation in the occurrences of each value

– Clustering of values


Natural Variation

160 180 200 220 240

0.00

00.

005

0.01

00.

015

0.02

00.

025

Number of occurrences (n)

Pro

babi

lity

• Binomially distributed counts

• Expected value = T/N


Natural Variation

160 180 200 220 240

0.00

00.

005

0.01

00.

015

0.02

00.

025


Pro

babi

lity

Area=k/N

• Binomially distributed counts


• Attacker selects k least frequent

units


Natural Variation

160 180 200 220 240

0.00

00.

005

0.01

00.

015

0.02

00.

025


Pro

babi

lity

Area=k/N

n_k • Binomially distributed counts


• Attacker selects k least frequent

units

• The kth least frequent unit ap-

pears nk times

nk = min{

n : cdf(n)≥ kN

}


Auditing with Natural Variation

• Total entries in table corresponding to k least frequent units†:

Tbad = Nnk

∑n=0

nϕ(n)

• This is just a standard sampling problem

– Each “good” sample removes approximately F entries:

F =T −Tbad

N− k• Probability of detection of least frequent k units:

Pr(detection) = 1−v−1

∏i=0

T − iF−Tbad

T − iF

†Semi-accurate approximation; see paper.


Clustering Effects

• We’re not really sampling the table randomly

– We read entries in sequence

– The order of the entries matters

0 0 0 0 0 0 0 0 0 0

1 1 1 1 1 1 1 1 1 1

6 7 8 9 2 3 4 5 6 7

8 9 2 3 4 5 6 7 8 9

2 3 4 5 6 7 8 9 2 3

4 5 6 7 8 9 2 3 4 5

6 7 8 9 2 3 4 5 6 7

8 9 2 3 4 5 6 7 8 9

2 3 4 5 6 7 8 9 2 3

4 5 6 7 8 9 2 3 4 5

A table constructed to minimize detection

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

0 2 3 4 5 1 6 7 8 9

A table constructed to maximize detection


Simulation Studies

• No good analytic model for clustering effect

– Though some potential avenues

• Easiest to study via simulation

– Generate a random table (using CSPRNG)

– Generate an attack set of size k

– Determine which offsets will sample at least one element of K

• Two kinds of attack sets

– Random (should have expected statistics)

– Randomly selected from least frequent 2k units†

• Results averaged over multiple tables (5–25)†This is heuristic. We don’t have a good algorithm here either.


Example

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

Number of Sampled Precincts

Pro

babi

lity

of D

etec

ting

Atta

ck

ExpectedUnder Attack

200,000 entries, 1000 precincts, 10 attacked


The Attacker’s View: Modest Advantage

• Still very likely to be detected

– In the above example: about 4x more chance of success at 99%

– Biggest gap around 80% nominal detection rate (71.4% actual)

• Probably not enough to make or break an attack

– But worth doing if you’re going to attack anyway


The Auditor’s View: Higher Work Factor

Detection Units to Audit Units to Audit Difference

Probability (projected) (under attack)† (percent)

80% 148 190 28

90% 205 270 32

95% 258 340 32

99% 368 540 47

Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts


General Trends

• More entries per unit decrease attacker advantage

– Larger tables

– Fewer units

• Higher attack rates decrease attacker advantage

– Need to select increasingly probable values


A Big Table

0 100 200 300 400

0.0

0.2

0.4

0.6

0.8

1.0


Pro

babi

lity

of D

etec

ting

Atta

ck

ExpectedUnder Attack

1,000,000 entries, 1000 precincts, 10 attacked precincts


Permuted Tables

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0


Pro

babi

lity

of D

etec

ting

Atta

ck

ExpectedUnder attack (permuted)Under attack (random)

200,000 entries, 1000 precincts, 10 attacked precincts


Potential Improvements

• New tables

– Bigger (107 entries?)

– Permuted rather than random

– Generated using a PRNG?

• Existing tables

– Individual addressing

– Random offsets

– Multiple starting points

– All of these need analysis


What about CSPRNGs?

• CSPRNGs have big state spaces no matter what the seed size

– Stronger than tables for the same seed entropy

– Intuition: sequences don’t overlap

• Cryptographic applications require very large seeds

– Not necessary here

– Need unpredictability, not unsearchability


Security of PRNGs by Seed Size (nominal 99% level)

● ● ●

●

●

●

●

●●

● ● ● ● ● ● ●

5 10 15

0.0

0.2

0.4

0.6

0.8

1.0

Bits of entropy

Pro

babi

lity

of D

etec

ting

Atta

ck

Probability of detection for PRNGs: 1000 precincts, 10 attacked


Summary

• Secure auditing requires verifiably unpredictable random values

• Generating them directly seems expensive

• Natural stretching approaches may not deliver their expected

security

• Not clear if randomness tables can be used safely

• PRNGs appear safe with modest-sized seeds


References

[CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of

Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting

Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_

papers/calandrino/calandrino.pdf.

[CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election

audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE

2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf.

[RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates.

American Book Publishers, 2002.


on the security of election audits with low entropy randomness · evt/wote 2009 on the security of...

Documents